Tuesday, 13 December 2011

### Snort NIDS ###



 1. Network Intrusion Detection System (NIDS)
 2. Packet Sniffer
 3. Packet Logger - logs using TCPDump format

Tasks:
 1. Download and install Snort NIDS
  a. snort.org
  b. Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-2.8.0.2.tar.gz.md5
  c. Import GPG key used to sign the current release of Snort
  d. gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz

Requirements:
 1. gcc - C compiler
 2. make - creates binaries
 3. libpcre - Provides access to Perl Compatible RegExes
 4. mysql-devel* - provides access to MySQL
 5. libpcap* - provides the TCPDump, packet capture library

 e. Extract and install (compile) Snort NIDS
  e1. tar -xzvf snort-2.8.0.2.tar.gz - creates top-level directory
  e2. ./configure --with-mysql --enable-dynamicplugin - checks for prerequisites, including: mysql-devel, libpcre, gcc, make, etc.
  e3. make - creates binaries
  e4. su (as 'root') and execute 'make install' - places binaries in /usr/local/ accessible location


Usage - Packet Sniffer:
 1. snort -v -i eth0 - reveals layers 3 & 4 of the OSI model
 2. snort -vde -i eth0 - reveals layers 2-7
 3. snort -vde -i eth0 tcp port 23

Usage - Packet Logger:
 1. snort -v -i eth0 -l ./ tcp port 23 - logs binary file in current directory with Unix Epoch suffix
 2. snort -b -i eth0 - attempts to log in: /var/log/snort
 3. snort -b -L test.snort.log -i eth0 - creates: /var/log/snort/test.snort.log.UnixEpochDate

Note: Snort drops less packets when run in binary logging mode than in verbose, dump-to-screen, mode

No comments:

Post a Comment